macOS malware includes
viruses
A virus is a submicroscopic infectious agent that replicates only inside the living cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Viruses are found in almo ...
,
trojan horses,
worms
The World Register of Marine Species (WoRMS) is a taxonomic database that aims to provide an authoritative and comprehensive catalogue and list of names of marine organisms.
Content
The content of the registry is edited and maintained by scien ...
and other types of
malware
Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
that affect
macOS
macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...
,
Apple
An apple is a round, edible fruit produced by an apple tree (''Malus'' spp.). Fruit trees of the orchard or domestic apple (''Malus domestica''), the most widely grown in the genus, are agriculture, cultivated worldwide. The tree originated ...
's current
operating system
An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs.
Time-sharing operating systems scheduler (computing), schedule tasks for ...
for
Macintosh
Mac is a brand of personal computers designed and marketed by Apple Inc., Apple since 1984. The name is short for Macintosh (its official name until 1999), a reference to the McIntosh (apple), McIntosh apple. The current product lineup inclu ...
computers. macOS (previously Mac OS X and OS X) is said to rarely suffer malware or virus attacks,
[ and has been considered less vulnerable than ]Windows
Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
.[ There is a frequent release of system software updates to resolve vulnerabilities. Utilities are also available to find and remove malware.]
History
Early examples of macOS malware include MP3Concept (discovered 2004, a benign proof of concept for a trojan horse), Leap (discovered in 2006, also known as Oompa-Loompa) and RSPlug (discovered in 2007).
An application called MacSweeper
MacSweeper is a rogue software, rogue application that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was disco ...
(2009) misled users about malware threats in order to take their credit card details.
The trojan MacDefender (2011) used a similar tactic, combined with displaying popups.
In 2012, a worm
Worms are many different distantly related bilateria, bilateral animals that typically have a long cylindrical tube-like body, no limb (anatomy), limbs, and usually no eyes.
Worms vary in size from microscopic to over in length for marine ...
known as Flashback appeared. Initially, it infected computers through fake Adobe Flash Player
Adobe Flash Player (known in Internet Explorer, Firefox, and Google Chrome as Shockwave Flash) is a discontinuedExcept in China, where it continues to be used, as well as Harman for enterprise users. computer program for viewing multimedia ...
install prompts, but it later exploited a vulnerability in Java
Java is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea (a part of Pacific Ocean) to the north. With a population of 156.9 million people (including Madura) in mid 2024, proje ...
to install itself without user intervention. The malware forced Oracle and Apple to release bug fixes for Java to remove the vulnerability.
Bit9 and Carbon Black
Carbon black (with subtypes acetylene black, channel black, furnace black, lamp black and thermal black) is a material produced by the incomplete combustion of coal tar, vegetable matter, or petroleum products, including fuel oil, fluid cataly ...
reported at the end of 2015 that Mac malware had been more prolific that year than ever before, including:bitcoin
Bitcoin (abbreviation: BTC; Currency symbol, sign: ₿) is the first Decentralized application, decentralized cryptocurrency. Based on a free-market ideology, bitcoin was invented in 2008 when an unknown entity published a white paper under ...
login credentials through cracked Angry Birds
''Angry Birds'' is a Finnish media franchise created by Rovio Entertainment, and owned by Sega. The game series focuses on the titular flock of colorful angry birds who try to save their eggs from green-colored pigs. Inspired by the game ''Cr ...
applications
A trojan known as Keydnap first appeared in 2016, which placed a backdoor on victims' computers.
Adware is also a problem on the Mac, with software like Genieo, which was released in 2009, inserting ads into webpages and changing users' homepage and search engine.
Malware has also been spread on Macs through Microsoft Word
Microsoft Word is a word processor program, word processing program developed by Microsoft. It was first released on October 25, 1983, under the name Multi-Tool Word for Xenix systems. Subsequent versions were later written for several other platf ...
macros.
MacOS, known for its robust security, has faced evolving challenges regarding malware over time. In the early years, macOS remained relatively immune compared to other operating systems due to its Unix-based architecture and lower market share. However, as its popularity grew, so did the interest of cybercriminals. In 2006, the first significant macOS malware, the Leap-A (also known as Oompa-Loompa) worm, emerged, spreading through instant messaging. Subsequent years saw sporadic instances of malware targeting Macs, including fake antivirus software like MacDefender in 2011 and the Flashback trojan in 2012, which infected hundreds of thousands of Macs by exploiting vulnerabilities in Java. These events marked a shift, prompting Apple to enhance its security measures and introduce features like Gatekeeper, XProtect, and the App Store, aiming to protect users from potential threats in the evolving landscape of macOS malware.
macOS includes built-in security features designed to protect users from various threats, including ransomware attacks. Features such as Gatekeeper, which verifies the legitimacy of downloaded applications, and FileVault, which encrypts data on the hard drive, contribute to enhancing the overall security of the system. Additionally, Apple regularly releases security updates and patches to address vulnerabilities and known exploits that ransomware may target. However, while macOS incorporates robust security measures, no system is completely immune to evolving cyber threats. Users must practice caution by regularly updating their operating system, installing software only from trusted sources, and maintaining backups of their important data to mitigate the risk of falling victim to ransomware attacks.
Ransomware
In March 2016 Apple shut down the first ransomware
Ransomware is a type of malware that Encryption, encrypts the victim's personal data until a ransom is paid. Difficult-to-trace Digital currency, digital currencies such as paysafecard or Bitcoin and other cryptocurrency, cryptocurrencies are com ...
attack targeted against Mac users, encrypting the users' confidential information. It was known as KeRanger. After completing the encryption process, KeRanger demanded that victims pay one bitcoin
Bitcoin (abbreviation: BTC; Currency symbol, sign: ₿) is the first Decentralized application, decentralized cryptocurrency. Based on a free-market ideology, bitcoin was invented in 2008 when an unknown entity published a white paper under ...
(about at the time, about as of May 16, 2025,) for the user to recover their credentials.
Mitigation
Gatekeeper
A gatekeeper is a person who controls access to something, for example via a city gate or bouncer, or more abstractly, controls who is granted access to a category or status. Gatekeepers assess who is "in or out", in the classic words of manage ...
is a built-in security feature of macOS meant to reduce malware execution by verifiying downloaded applications before they are launched for the first time.
MacOS 12.3 introduced XProtect Remediator,
References
Malware by platform
{{malware-stub